Government Security
Network Security Resources

Jump to content

Photo

Disabling Internet Access

windows dns proxy
  • Please log in to reply
45 replies to this topic

#16 Ignatius

Ignatius

    Private First Class

  • Members
  • 84 posts

Posted 17 November 2007 - 10:11 AM

Here what we want to do is first of all, check the box that is at the top labeled Enable TCP/IP Filtering (All Adapters). Then make sure the following are selected, above TCP Ports, check PERMIT ONLY. The other's should remain at Permit All (for UDP Ports & IP Protocols). Then just add in the ports you WANT to allow, however I reccomend adding atleast ONE port like 161 (SNMP), just to make sure the Filtering kicks in. Also be sure you do not type in port 80 though, because that is what we are trying to block, and would totally defeat the whole purpose of this. Don't forget to apply settings when done.

I followed this to the letter and I could still access the internet! The only way that I could get it to block was to set all three areas to "Permit Only" and I didn't have to add any entries into the boxes. I'm using XP Pro SP2 which is fully patched, if that's relevant.

Just a question about this technique, presumably the filtering works on the remote port that's being accessed, hence you recommended against using 80? If this is correct, I guess I could use it to block SMTP (25) and POP (110) but still allow HTTP (80)?

#17 oniric

oniric

    Private First Class

  • Members
  • 23 posts

Posted 17 November 2007 - 10:22 AM

I followed this to the letter and I could still access the internet! The only way that I could get it to block was to set all three areas to "Permit Only" and I didn't have to add any entries into the boxes. I'm using XP Pro SP2 which is fully patched, if that's relevant.


I also did like you, I set all the three to PERMIT ONLY without any entries. So it'also uniform and difficult to notice. I haven't tried to check PERMIT ONLY only for TCP but It SHOULD work given that HTTP travels over TCP. Notice that rebooting i
s needed for changes to take effect.

Regarding the filtering rules there isn't support for blacklisting but only for whitelisting so you can permit port 80 but then you ha
ve to know every other port you will use.. oh well, this blocks 
SMTP and POP :P

#18 blackhat420

blackhat420

    Private First Class

  • Members
  • 36 posts

Posted 17 November 2007 - 10:33 AM

Just a question about this technique, presumably the filtering works on the remote port that's being accessed, hence you recommended against using 80? If this is correct, I guess I could use it to block SMTP (25) and POP (110) but still allow HTTP (80)?



Ignatius, yes you are correct it deals with the filtering of remote ports. If you wanted to block SMTP and POP but allow HTTP, you would enter in the HTTP port (80) under TCP - Permit Only. Since there is an implicit deny at the end of all lists of this type, any traffic destined to a TCP port besides 80 is automatically filtered and dropped.

Oniric, When I tested the first method.. I just used the TCP filtering rules ONLY to Permit Only with nothing input'd except for one or two common tcp ports. Since HTTP is tcp really that is all that usually must be disabled.
If you would like the target machine to still be able to access things like POP3 email then under TCP Permit Only section add your pop3 (110) and smtp (25) ports :-)

One more question for you Oniric, you mentioned something about changing the Wireless Network band? Well this may not apply to you but *MOST* routers nowadays actually come default with 802.11a/b/g enabled, so if you don't have access to the router... that may introduce a problem. Then again maybe your router only broadcasts on one or two bands so that would work out just fine.

#19 Ignatius

Ignatius

    Private First Class

  • Members
  • 84 posts

Posted 17 November 2007 - 12:33 PM

I'm grateful for the guidance in this thread - it's a bit "fiddly" deciding which port(s) and/or IP Protocols should be allowed/denied for a particular scenario. This setting something which I've never "played" with, nor have I felt the need to investigate, but it's turned into an interesting learning experience. I also like the DNS trick. I just wondered if there's any other setting, say in Group Policy, which might deny internet access?

Finally, I agree with the inference that the rebooting is a pain in the <***fill in the noun***>!

#20 oniric

oniric

    Private First Class

  • Members
  • 23 posts

Posted 17 November 2007 - 01:21 PM

One more question for you Oniric, you mentioned something about changing the Wireless Network band? Well this may not apply to you but *MOST* routers nowadays actually come default with 802.11a/b/g enabled, so if you don't have access to the router... that may introduce a problem. Then again maybe your router only broadcasts on one or two bands so that would work out just fine.


Duh, you are right. My technique only works if the router or the access point has one standard enabled.

I join Ignatius in the quest for other hidden settings!

#21 Ignatius

Ignatius

    Private First Class

  • Members
  • 84 posts

Posted 17 November 2007 - 01:43 PM

I came across this registry tweak (hxxp://www.pctools.com/guides/registry/detail/1288/) to disable internet access on a per-user basis. Unfortunately, it also disables Outlook. I'll continue searching - in the hope that others continue also!

#22 blackhat420

blackhat420

    Private First Class

  • Members
  • 36 posts

Posted 17 November 2007 - 01:45 PM

I mean depending how badly you wish to block the connection's you could come up with a multitude of work-arounds that will produce the same end result. The problem is the users you are trying to block, how much they know, and how easily the problem is fixable. Personally if it was me, I would go to the router (even if I didn't have configuration access to it), find the reset button on it and use it so that the password resets to default, then you could realllllly mess with them good.
You could do something like change the DNS servers on the router so instead of being assigned by the WAN/ISP, you can specify to use an alternate DNS source such as www.opendns.com . With opendns you are allowed a great amount of customizability and can do things (for free) like view web page lookup statistics ANDDDDD BLOCK specific websites/domains! If you did it like this their internet would *SEEM* fully functional but lone behold none of there www.web_site_name.com requests are able to be resolved!

If you still are not satisfied with the results given by the methods posted so far, let me know and I can post some other work arounds to disallow website viewing locally on a windows machine.

Ignatius good call on the registry tweaking :-) That was going to be my next area to mention but you beat me to it!
There should be a couple ways to deny it via registry changes.

-bh420

#23 Ignatius

Ignatius

    Private First Class

  • Members
  • 84 posts

Posted 17 November 2007 - 02:37 PM

...If you still are not satisfied with the results given by the methods posted so far, let me know and I can post some other work arounds to disallow website viewing locally on a windows machine. ...


I am very satisfied with what's been covered so far :-) This thread has caught my interest and I'm keen to know more. I've just been looking into <route add ...> and just wonder if that can be a user-specific login script, i.e. only run for users A and C but not for users B and D? The problem that I've seen before with a logon script is that the fact that it's running is displayed at logon. I realise that this sort of tweaking is best done in a domain environment but I'm sure that there are families with access to only one PC which mum, dad and 2 children all use and such local control of web access may be vital.

#24 oniric

oniric

    Private First Class

  • Members
  • 23 posts

Posted 17 November 2007 - 03:21 PM

Maybe you already know this but I've been testing it right now after your hint, Ignatius.

You can set a default gateway for the internet network interface using this command

route -p add 0.0.0.0 mask 0.0.0.0 192.168.2.90

and a new PERSISTENT rule will be created. Persistent means that it's gonna stay even if the user does a renew for the IP address and even after a reboot. The gateway IP needs to be consistent with the interface address but you can always set it with an unused address like 192.168.2.90 is in my network now. The only way a user can notice this is b
y running in the CLI the command

route print

or by viewing the State properties of the network connection and then checking the 
Support tab ( please forgive me
if this indications aren't 100% correct. I don't have Windows XP in english language.. ).

Am I correct or am I saying "victory" too soon? :unsure:

#25 blackhat420

blackhat420

    Private First Class

  • Members
  • 36 posts

Posted 17 November 2007 - 04:36 PM

That method had crossed my mind, but isn't it fixable with a simple 'route /f' command? I could be wrong but as I recall that flushes all gateway entries and default routes (even persistant ones). After thinking some more, the 'Repair' feature located on XP and Vista, via the Network Connection properties window -- automatically flushes the tables while releasing/renewing the IP address.

#26 oniric

oniric

    Private First Class

  • Members
  • 23 posts

Posted 17 November 2007 - 04:54 PM

That method had crossed my mind, but isn't it fixable with a simple 'route /f' command? I could be wrong but as I recall that flushes all gateway entries and default routes (even persistant ones). After thinking some more, the 'Repair' feature located on XP and Vista, via the Network Connection properties window -- automatically flushes the tables while releasing/renewing the IP address.


route -f isn't so simple as you tell. The vast majority of Windows users doesn't even know this command exists.
Before writing my post I tried to use the Repair function and this hadn't deleted the entry that I added. Could someone make a test? Please consider I was using a static IP when I made the test.

#27 blackhat420

blackhat420

    Private First Class

  • Members
  • 36 posts

Posted 17 November 2007 - 05:14 PM

I will test it right now on my freshly wiped/patched VMware XP box. Will edit this post and return with results momentarily! :-)

--Results--
Well, I'm not sure If I'm not following your instructions right or something else... when I add a default route to a non used IP there is no problems. After I added the route I went to internet explorer typed in www.google.com and it pulled up just fine. So, I wondered why this could be? Here is my routing table


Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.8 10
0.0.0.0 0.0.0.0 192.168.1.90 192.168.1.8 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.128 192.168.1.8 192.168.1.8 10
192.168.1.8 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.8 192.168.1.8 10
224.0.0.0 240.0.0.0 192.168.1.8 192.168.1.8 10
255.255.255.255 255.255.255.255 192.168.1.8 192.168.1.8 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.1.90 1

See the reason I believe why this isn't working, is that with Windows the DEFAULT GATEWAY is specified outside of the routing table, unlike linux. So even with this default route in, as you can see it STILL has the default gateway located right above the line of =====================
Default gateway could be changed, however if the users are dynamically assigned an IP, they will also be assigned a DG. If you wanted to change their default gateway you would have to swtich them to a static IP... and at that rate your probably better off doing one of the methods previously described!

Interesting note was, after I had changed my routing table, and then was going to test to see if the entry was deleted by using the 'Repair' option in the Adapter Details, it dropped my regular default gateway and instead the 192.168.1.90 (un used) address was applied. So really this is a great idea you guys thought of, for people who want to disallow network access. Just add the default route to your routing table, then run the repair option on your ethernet adapter. the only downside is with this method NO network functions will work, the packets are directed at a non-existant gateway, thend ropped. Also another concern is that if the IP is assigned via DHCP, you may have to worry about the DHCP assigned default gateway over-writing the one in the routing table. Anyways good work :-p



#28 oniric

oniric

    Private First Class

  • Members
  • 23 posts

Posted 18 November 2007 - 02:38 AM

That's strange blackhat420, here's my routing table after I gave the command:

Route attive:
Indirizzo rete Mask Gateway Interfac. Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.3 25
0.0.0.0 0.0.0.0 192.168.2.90 192.168.2.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.0 255.255.255.0 192.168.2.3 192.168.2.3 25
192.168.2.3 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.2.255 255.255.255.255 192.168.2.3 192.168.2.3 25
224.0.0.0 240.0.0.0 192.168.2.3 192.168.2.3 25
255.255.255.255 255.255.255.255 192.168.2.3 192.168.2.3 1
Gateway predefinito: 192.168.2.90
===========================================================================
Route permanenti:
Indirizzo rete Mask Indir. gateway Metric
0.0.0.0 0.0.0.0 192.168.2.90 1

As you can see the command also modified the default gateway value. Windows oddity?

#29 blackhat420

blackhat420

    Private First Class

  • Members
  • 36 posts

Posted 18 November 2007 - 07:28 AM

Yea it could be just a VMware artifcat, but anyways I think between the few of us brainstorming here we got some pretty good ideas :-)

#30 Ignatius

Ignatius

    Private First Class

  • Members
  • 84 posts

Posted 18 November 2007 - 08:54 AM

If a persistent route remains after rebooting, is it possible to have a particular script run when a certain user (or users) log on? What I mean is if there's a script to add the new persistent route (AddRoute) and a second script to delete it (DeleteRoute), can it be arranged to have AddRoute run when users A or C logs on and DeleteRoute run when users B or D logs on? This will allow B & D but deny A & C access to the internet.

One other "trick" that I've come across is:

Control Panel>Add or Remove Programs>Set Program Access and Defaults>Custom>uncheck Enable access to this program (for IE).

I've not had chance to try this yet because I'm not using my own computer at present.

Between us, we've come across several techniques which could be used in combination. I'll continue to search because I'm sure there are more!





Also tagged with one or more of these keywords: windows, dns, proxy